Thursday, June 6, 2013

As Security Innovation gets bigger we've realized we need some way to preserve what makes the company special, for our customers and for our employees. I think it all comes down to Values, since that's what describes the 'Why' of what we do. Why is so much more important than What since it is the foundation, the motivation behind everything we do and in the end I think its the best way to capture the magic of who we are as a company. I think many people would start an excercise like this by defining Vision and Mission first, a top down approach. We've found its more powerful to start with values and build upwards from there.

First some definitions:

Vision: Where do you want to go? What's over the horizon?

Mission: Who are you? What do you do?

Values: What do you value? Why are you doing what you do? What's important and if you gave it up would destroy the value of the company?

I've also added in a couple of goals which I think of as a tactical approach to achieving the mission. Maybe they should just be folded into the mission itself.

Here's what we've come up with so far, its not complete, just a work in progress. What do you think?

Vision:

A world free of security vulnerabilities

To be the most trusted application security partner on the planet.

Mission:

To enable the success of our customer's application security programs.

Improve the security of every application we touch

Provide the world’s best combination of security expertise, trustworthiness, effectiveness, and technology to our customers

Goals:

Apply Standards, Education and Education (the Three Pillars of Success) to create a customized solution for each of our customers.

Drive the success of each customer's application security program through a targetted set of standards, education and/or assessments based upon our understanding of their unique culture, process maturity and application security goals.

Values:

We believe everyone has the right to secure software

We believe everyone has the right to use a computer without fear

We focus on the fix

We believe developer education is a key means to achieving better security

We believe increased awareness of security risks and mitigations will result in a healthier software ecosystem

We believe 3rd party assessments of software can be used to keep development teams honest with themselves and their users

We believe that can add the most value when our customers see us as a trusted advisor to improve security long term

We believe in measuring and holding ourselves accountable to customer satisfaction in our services and products

We believe in empowering our employees to learn and develop their skills

We believe in an environment of trust and open communication amongst all members of the organization